From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754738AbbIIUuv (ORCPT ); Wed, 9 Sep 2015 16:50:51 -0400 Received: from mx1.redhat.com ([209.132.183.28]:52667 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752026AbbIIUut (ORCPT ); Wed, 9 Sep 2015 16:50:49 -0400 From: Paul Moore To: Richard Guy Briggs Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, sgrubb@redhat.com, eparis@redhat.com, v.rathor@gmail.com, ctcard@hotmail.com Subject: Re: [PATCH V1] audit: add warning that an old auditd may be starved out by a new auditd Date: Wed, 09 Sep 2015 16:50:48 -0400 Message-ID: <4246819.OGLW0CmS4i@sifl> Organization: Red Hat User-Agent: KMail/4.14.10 (Linux/4.1.5-gentoo; KDE/4.14.11; x86_64; ; ) In-Reply-To: <20150907165818.GH8140@madcap2.tricolour.ca> References: <5e786f07b6d8a19927c70345c14bd1a452164d38.1441644314.git.rgb@redhat.com> <20150907165818.GH8140@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Monday, September 07, 2015 12:58:18 PM Richard Guy Briggs wrote: > On 15/09/07, Richard Guy Briggs wrote: > > Nothing prevents a new auditd starting up and replacing a valid > > audit_pid when an old auditd is still running, effectively starving out > > the old auditd since audit_pid no longer points to the old valid auditd. > > > > There isn't an easy way to detect if an old auditd is still running on > > the existing audit_pid other than attempting to send a message to see if > > it fails. If no message to auditd has been attempted since auditd died > > unnaturally or got killed, audit_pid will still indicate it is alive. > > > > Signed-off-by: Richard Guy Briggs > > Ok, self-nack on this one for a couple of problems... > netlink_getsockbyportid() is static to af_netlink.c and "pid" should be > task_tgid_vnr(current). Otherwise, any opinions on this approach? > > > --- > > Note: Would it be too bold to actually block the registration of a new > > auditd if the netlink_getsockbyportid() call succeeded? Would other > > checks be appropriate? Hmm. It seems like we should prevent the registration of a new auditd if we already have an auditd instance connected, although as you say, that isn't the easiest thing to do. How painful would it be to return -EAGAIN to the new auditd while sending some sort of keep-alive/ping/etc. message to the old daemon to check its status? -- paul moore security @ redhat